US11611572B2ActiveUtilityA1

System and method of processing information security events to detect cyberattacks

85
Assignee: AO Kaspersky LabPriority: Jun 19, 2020Filed: Nov 13, 2020Granted: Mar 21, 2023
Est. expiryJun 19, 2040(~13.9 yrs left)· nominal 20-yr term from priority
G06N 3/09H04L 63/1425G06N 3/08H04L 63/1416G06F 21/552G06N 20/00G06N 5/01
85
PatentIndex Score
3
Cited by
12
References
20
Claims

Abstract

A method for processing information security events of a computer system includes receiving information related to a plurality of information security events occurred in the computer system. Each of the events includes an event related to a possible violation of information security of the computer system. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events from the false positive to the information security incident. A number of events in the subset is lower than a second threshold. An analysis of the events having a verdict of the information security incident is performed to determine if the computer system is under a cyberattack.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method for processing information security events to detect cyberattacks on a computer system, the method comprising:
 receiving information related to a plurality of information security events occurred in the computer system, wherein each of the plurality of information security events comprises an event related to a possible violation of information security of the computer system; 
 determining a verdict for each of the plurality of the received information security events, wherein the verdict comprises: i) information security incident or ii) false positive and wherein the verdict is false positive if the probability of a false positive for the corresponding information security event is greater than a first threshold; 
 changing verdicts for a subset of the plurality of information security events from the false positive to the information security incident, wherein the subset of the plurality of information security events whose verdicts are to be changed are selected at random from among the information security events whose verdicts are determined as being false positive, and wherein a number of information security events in the subset is lower than a second threshold; and 
 performing analysis of the information security events having a verdict of the information security incident to determine if the computer system is under a cyberattack. 
 
     
     
       2. The method of  claim 1 , wherein receiving information related to the plurality of information security events further comprises receiving one or more event security notifications related to an object of the computer system and wherein the one or more event security notifications include a marker characterizing an event that occurred in the computer system and a timestamp indicating time interval during which corresponding information about the event was gathered, and wherein the first threshold is related to a quality metric of the trained machine learning model. 
     
     
       3. The method of  claim 2 , wherein the verdict is determined using a trained machine learning model based on at least one of the following: characteristics of the one or more event security notifications, one or more sources of the one or more event security notifications, characteristics of the one or more sources of the one or more event security notifications. 
     
     
       4. The method of  claim 1 , wherein performing the analysis of the information security events further comprises performing the analysis of the information security events having a lowest probability of a false positive. 
     
     
       5. The method of  claim 1 , wherein the verdict comprises one of: a fuzzy verdict, a tentative verdict, a final verdict. 
     
     
       6. The method of  claim 2 , wherein the marker characterizing an event that occurred in the computer system includes at least one of the following: a checksum of at least a portion of the object, a source of a resource from which the object was embedded on the computer system, results of an emulation of the execution of the object, a log of calls of system functions from the object, time of appearance of the object on the computer system, data being transmitted by the object through a computer network. 
     
     
       7. The method of  claim 1 , wherein determining the verdict further comprises calculating hash for a corresponding object and determining if the calculated hash corresponds to a known malicious object. 
     
     
       8. The method of  claim 3 , further comprising determining the second threshold based on the results of the analysis performed on the first set of the information security events. 
     
     
       9. The method of  claim 8 , further comprising modifying a training sample of the trained machine learning model based on the results of the analysis performed on the first set of information security events. 
     
     
       10. A system for processing information security events to detect cyberattacks on a computer system, the system comprising:
 a hardware processor configured to:
 receive information related to a plurality of information security events occurred in the computer system, wherein each of the plurality of information security events comprises an event related to a possible violation of information security of the computer system; 
 determine a verdict for each of the plurality of the received information security events, wherein the verdict comprises: i) information security incident or ii) false positive and wherein the verdict is false positive if the probability of a false positive for the corresponding information security event is greater than a first threshold; 
 change verdicts for a subset of the plurality of information security events from the false positive to the information security incident, wherein the subset of the plurality of information security events whose verdicts are to be changed are selected at random from among the information security events whose verdicts are determined as being false positive, and wherein a number of information security events in the subset is lower than a second threshold; and 
 perform analysis of the information security events having a verdict of the information security incident to determine if the computer system is under a cyberattack. 
 
 
     
     
       11. The system of  claim 10 , wherein the hardware processor configured to receive information related to the plurality of information security events is further configured to receive one or more event security notifications related to an object of the computer system and wherein the one or more event security notifications include a marker characterizing an event that occurred in the computer system and a timestamp indicating time interval during which corresponding information about the event was gathered and wherein the first threshold is related to a quality metric of the trained machine learning model. 
     
     
       12. The system of  claim 11 , wherein the verdict is determined using a trained machine learning model based on at least one of the following: characteristics of the one or more event security notifications, one or more sources of the one or more event security notifications, characteristics of the one or more sources of the one or more event security notifications. 
     
     
       13. The system of  claim 10 , wherein the hardware processor configured to perform the analysis of the information security events is further configured to perform the analysis of the information security events having a lowest probability of a false positive. 
     
     
       14. The system of  claim 10 , wherein the verdict comprises one of: a fuzzy verdict, a tentative verdict, a final verdict. 
     
     
       15. The system of  claim 11 , wherein the marker characterizing an event that occurred in the computer system includes at least one of the following: a checksum of at least a portion of the object, a source of a resource from which the object was embedded on the computer system, results of an emulation of the execution of the object, a log of calls of system functions from the object, time of appearance of the object on the computer system, data being transmitted by the object through a computer network. 
     
     
       16. The system of  claim 10 , wherein the hardware processor configured to determine the verdict is further configured to calculate fuzzy hash for a corresponding object and to determine if the calculated hash corresponds to a known malicious object. 
     
     
       17. The system of  claim 12 , wherein the hardware processor is further configured to determine the second threshold based on the results of the analysis performed on the first set of the information security events. 
     
     
       18. The system of  claim 17 , wherein the hardware processor is further configured to modify a training sample of the trained machine learning model based on the results of the analysis performed on the first set of information security events. 
     
     
       19. A non-transitory computer readable medium storing thereon computer executable instructions processing information security events to detect cyberattacks on a computer system, including instructions for:
 receiving information related to a plurality of information security events occurred in the computer system, wherein each of the plurality of information security events comprises an event related to a possible violation of information security of the computer system; 
 determining a verdict for each of the plurality of the received information security events, wherein the verdict comprises: i) information security incident or ii) false positive and wherein the verdict is false positive if the probability of a false positive for the corresponding information security event is greater than a first threshold; 
 changing verdicts for a subset of the plurality of information security events from the false positive to the information security incident, wherein the subset of the plurality of information security events whose verdicts are to be changed are selected at random from among the information security events whose verdicts are determined as being false positive, and wherein a number of information security events in the subset is lower than a second threshold; and 
 performing analysis of the information security events having a verdict of the information security incident to determine if the computer system is under a cyberattack. 
 
     
     
       20. The non-transitory computer readable medium of  claim 19 , wherein the instructions for receiving information related to the plurality of information security events further comprise instructions for receiving one or more event security notifications related to an object of the computer system and wherein the one or more event security notifications include a marker characterizing an event that occurred in the computer system and a timestamp indicating time interval during which corresponding information about the event was gathered and wherein the first threshold is related to a quality metric of the trained machine learning model.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.